[exim] Re: exim spitting out "bad certificate" log lines

Pàgina inicial
Delete this message
Reply to this message
Autor: Cyborg
Data:  
A: exim-users
Assumpte: [exim] Re: exim spitting out "bad certificate" log lines
Am 13.07.23 um 16:09 schrieb Viktor Dukhovni via Exim-users:
>
> If the issue is observed on the MX host for your domain, note that its
> certificate chains up to the already expired "DST Root CA X3":


where do you see an expired cert here?  Or did you mean "soon to be
reaching eol" ?
>      Certificate:
>              Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>                  Not Before: Jan 20 19:14:03 2021 GMT
>                  Not After : Sep 30 18:14:03 2024 GMT
>              Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
>
> While most clients have a local trusted "ISRG Root X1" CA, and
> short-circuit the chain at the first locally trusted issuer, some might
> not perform the short-circuit lookup (e.g. old OpenSSL versions prior to
> 1.1.0).
>
> You should reconfigure your Let's Encrypt setup to obtain a chain that's
> rooted at the ISRG CA.  With certbot, add to the
> "renewal/<lineage>.conf" file's "renewalparams" section:
>


A good hint, we use "Dehydrated" here, have to figure out how to do it here.



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/